IETF Logo Mail Archive

Re: [arch-d] Treating "private" address ranges specially

Christian Huitema <huitema@huitema.net> Thu, 01 April 2021 05:31 UTC

Return-Path: <huitema@huitema.net>
X-Original-To: architecture-discuss@ietfa.amsl.com
Delivered-To: architecture-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8ECB43A1136 for <architecture-discuss@ietfa.amsl.com>; Wed, 31 Mar 2021 22:31:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.608
X-Spam-Level:
X-Spam-Status: No, score=-1.608 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001, URI_DOTEDU=0.28] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jwpxjGr5fPbp for <architecture-discuss@ietfa.amsl.com>; Wed, 31 Mar 2021 22:31:04 -0700 (PDT)
Received: from mx36-out21.antispamcloud.com (mx36-out21.antispamcloud.com [209.126.121.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C32013A1135 for <architecture-discuss@ietf.org>; Wed, 31 Mar 2021 22:31:04 -0700 (PDT)
Received: from xse336.mail2web.com ([66.113.197.82] helo=xse.mail2web.com) by mx134.antispamcloud.com with esmtp (Exim 4.92) (envelope-from <huitema@huitema.net>) id 1lRpv1-0013Wj-5l for architecture-discuss@ietf.org; Thu, 01 Apr 2021 07:31:01 +0200
Received: from xsmtp22.mail2web.com (unknown [10.100.68.61]) by xse.mail2web.com (Postfix) with ESMTPS id 4F9sGL5KV5zBJ2 for <architecture-discuss@ietf.org>; Wed, 31 Mar 2021 22:30:34 -0700 (PDT)
Received: from [10.5.2.17] (helo=xmail07.myhosting.com) by xsmtp22.mail2web.com with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.92) (envelope-from <huitema@huitema.net>) id 1lRpuc-0004Pv-K4 for architecture-discuss@ietf.org; Wed, 31 Mar 2021 22:30:34 -0700
Received: (qmail 13400 invoked from network); 1 Apr 2021 05:30:33 -0000
Received: from unknown (HELO [192.168.1.105]) (Authenticated-user:_huitema@huitema.net@[172.58.43.102]) (envelope-sender <huitema@huitema.net>) by xmail07.myhosting.com (qmail-ldap-1.03) with ESMTPA for <architecture-discuss@ietf.org>; 1 Apr 2021 05:30:33 -0000
To: Martin Thomson <mt@lowentropy.net>, architecture-discuss@ietf.org
References: <4329d51a-d5ba-45b3-9fb0-6795dc6fccd3@www.fastmail.com> <CAMGpriWA4B8AThNKBOHo-bfAdQ2s5iYv8rBOB7X8UVc5GsqENA@mail.gmail.com> <CAMGpriUJkWYPyw7=oAj_GnGu2J14T3=VZYNWPZtAs870P=x0sg@mail.gmail.com> <a68636c2-5df0-46eb-8147-79ec6a992f8a@www.fastmail.com> <CAMGpriU_L8HbLFX_mMBtBXxy=XOc5BAnYgVR9R8TQO=DPvRD_g@mail.gmail.com> <F59E2FC3-19CE-4D14-9F1C-9F7125D89455@mnot.net> <CAMGpriVJCsird15oBfT=gSDTr59_yf9TkLmOSO7a9DGX0VRjOg@mail.gmail.com> <CA+9kkMB2iOA-QaCidJHVN=qqZ8TtPXV=xyfuKh+i44VzZLWG3w@mail.gmail.com> <c88bbb17-4a30-4241-af98-436ddf01ca5c@www.fastmail.com> <2c2367b2-bbe1-7d4d-9edd-c7975420a540@huitema.net> <955f0978-7416-4d20-9d8a-27dace821092@www.fastmail.com>
From: Christian Huitema <huitema@huitema.net>
Message-ID: <8195e468-6507-e500-4a25-fcd90f81e759@huitema.net>
Date: Wed, 31 Mar 2021 22:30:33 -0700
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.9.0
MIME-Version: 1.0
In-Reply-To: <955f0978-7416-4d20-9d8a-27dace821092@www.fastmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: quoted-printable
Content-Language: en-US
X-Originating-IP: 66.113.197.82
X-Spampanel-Domain: xsmtpout.mail2web.com
X-Spampanel-Username: 66.113.197.0/24
Authentication-Results: antispamcloud.com; auth=pass smtp.auth=66.113.197.0/24@xsmtpout.mail2web.com
X-Spampanel-Outgoing-Class: unsure
X-Spampanel-Outgoing-Evidence: Combined (0.15)
X-Recommended-Action: accept
X-Filter-ID: Pt3MvcO5N4iKaDQ5O6lkdGlMVN6RH8bjRMzItlySaT9WLQux0N3HQm8ltz8rnu+BPUtbdvnXkggZ 3YnVId/Y5jcf0yeVQAvfjHznO7+bT5yLNgi2F4M0RbknB3BDmsRxyINTMb4kYMD15j85Ktbckyo/ xMM0hxORRmMMI7DUTwhwSpt0Im76B/dX42hz82Kh5g+sHZmT3CLVmxntdIVybVy+BbGrglZA45nG CXVN8lqeyrhzWminYO4gRGXn3bDVBVisGv8MyVI5ms3guyJnGvsZ59zoX/F2OVmfn/ypN1MUOled bu+r9+W9cDXvzL3SDfmI/SU/hyBNwHImG15sstvifT4GqBfEkB7aN5XuM7B02nkLZSrmz+olE44+ sjwESum7gC1WgO/NiysYOr0Zp4PDdWi4V6nXPowtUXJ1bnedw+XGlIW1bb6iLQaqIs5BLfTttFI5 MCNL/izpcNORuAUvossjam0/HVDFzCeLVAjI+ht+2XwDC3Hj+WjRz7dukQbqbub9Z8raDZ3Nd/Bn xCUUNqgu448pzyBzzakp+EE11Iy42FkLdf+cZ0MpjKD7IK/1NH5THMtlYvyHAYGOGqz2oidVuoQM okQutY3pHcCHFzboKDhGx0chVC6Uo5u42dYfx3w0UOSIPFYT7DxPDQ8XciHiWVJe0/nQcdnQAo/R FUqbnIhdxq8hFB+98CBhcP8OpEQC6lOA6ax6g2wGjA0aI0lYszZdHHv7O7tD/W+zoo6HN0gmX1qd UY5I1gsP7yFM015AwIoiYphoS1BbktpYWiHrV3woNSXQFazsCnwlZuLSTojuLjZFnllmvggoVKBS Lw97CHD9X4STzOgf/Fw3Hxk2KH8Vm788E0QxxhlYGd4K70chGn0IWLwA/Bi1N+xaPV6oNm0AvN9X KQ2odY0Es+nGPZQelCo+jrflqzptALl6tE9e8KCaN2ryngAyLMuuOzJ9M8JhswIt2Z/mHbYUTYLO yIOJf1xK6WJ94JWUyhbmk5dfVtyEqvftSoi7BEhlPsvn43YI7nWcYkz4vjBtUD9+Z7GHz/OHPkRS tyombmeTgFKBgc4kmBS2brus198cbJqk/JfQEZbE2pQGnw==
X-Report-Abuse-To: spam@quarantine11.antispamcloud.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/architecture-discuss/qRGY6FDayTwrkQSql77U_ApOD08>
Subject: Re: [arch-d] Treating "private" address ranges specially
X-BeenThere: architecture-discuss@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: open discussion forum for long/wide-range architectural issues <architecture-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/architecture-discuss>, <mailto:architecture-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/architecture-discuss/>
List-Post: <mailto:architecture-discuss@ietf.org>
List-Help: <mailto:architecture-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/architecture-discuss>, <mailto:architecture-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Apr 2021 05:31:11 -0000

On 3/31/2021 8:57 PM, Martin Thomson wrote:

> On Thu, Apr 1, 2021, at 14:33, Christian Huitema wrote:
>> Do you have a description of the type of attacks you are thinking off?
> This is a general problem of which I have only a handful of concrete examples.
>
> The proposal mentions SOHO Pharming, though the link is broken.  In essence, that attack abused default passwords and poorly secured routers to allow DNS configuration on those routers to be hijacked.  This sort of thing is fixed by any of a bunch of things (HTTPS, better passwords, changes to local topology, DoH), but it was still shockingly effective.
>
> The other example I'm aware of is the Zoom problem (last year?  seems longer ago) where they ran a server on loopback that took instruction from 
random websites.  That was poorly secured and could be exploited.
>
> I'm not clear on whether this particular proposal aims to address this (it might not) but enumeration of servers on local networks could be another target.  (It doesn't appear to attempt to block the timing side channels that are typically used for this, but it could.)

I found a copy of the SOHO Pharming paper at 
http://courses.isi.jhu.edu/netsec/papers/Driveby_Pharming.pdf. The 
attack required a combination of Java Applet or ActiveX, javascript, and 
routers configured with the default password. AFAIK, ActiveX is mostly 
gone. The two suggested mitigations were to (1) uninstall Java and (2) 
change the router password. Of course, not everybody will do that.

If I remember correctly, at the end of the discussion of request forgery 
attacks in the QUIC WG, most implementers concluded that the best we 
could do was "protect loopback", precisely because the definition of 
"private networks" is way to fuzzy to make defense practical. How is 
this different?

-- Christian Huitema

v2.23.0 | Report a Bug | By Email